Our Top Five Takeaways From Today's Hearings on Encryption

Despite all of the evidence to the contrary, FBI Director Comey wants you to know that he doesn't want another crypto war. As he said today in hearings before the Senate Judiciary Committee and Senate Select Committee on Intelligence (SSCI), he just wants a discussion. Of course, it's hard to have a discussion when you're not listening to anyone else. And in this case, Comey and those who support weakening encryption simply aren't listening to the experts telling them that backdoors or golden keys just won't keep us safe.

Much of what Mr. Comey, his law enforcement colleagues, and anti-encryption lawmakers said today repeated familiar tropes. But there were some important takeaways. Here are our top five:

5. Some Lawmakers Believe Public Safety is More Important Than the Constitution

I’ve heard my colleagues, with all due respect, talking about attacks on privacy and our constitutional rights et cetera, et cetera, but it seems to me that our first obligation is the protection of our citizenry against attack, which you agree is growing.

-Senator John McCain

Most elected representatives who support undermining encryption (along with other intrusive law enforcement measures like mass surveillance and unregulated use of surveillance technology) make arguments about striking a balance between civil liberties and safety. This hearing was no exception.

But even while lawmakers talk about striking a balance, they cite endless tirades of anecdotes about ISIS and Al Qaeda to support their need for whatever tool they want to adopt or keep, making it clear that in the current environment, they think we should reassess our ideas. Senator McCain was far more honest about where he stands than most elected representatives—instead of implying that safety is more important than the Constitution, he actually said it.

The reason lawmakers don't generally say that is probably because Congress takes an oath to uphold the constitution—including the rights that Senator McCain thought were important enough to warrant only an "et cetera, et cetera."

Of course, Senator McCain's statement is a red herring. As we explain below, we have no real evidence about how much of a problem encryption really is—but we DO know breaking it at the government's request is a serious threat not only to privacy, but to the safety of the Internet.

4. The Government Wants Companies To Hold the Keys—But The Companies Don't Want To

Both Deputy Attorney General (DAG) Sally Yates and FBI Director Comey said something important at the hearing—they're not looking for a "one size fits all" legislative solution right now. That's a good thing, of course. We would fight tooth and nail against any proposal undermining encryption. The technology industry has also made it clear that they oppose any such policies.

But if Comey and Yates don't want legislation, what do they want? DAG Yates repeatedly broached the idea that companies should be able to access their customers' data—presumably without customers' knowledge or consent. Senator Ron Wyden said that to him, it looks like we're moving towards a proposal that tech companies stockpile keys to encrypted communications. And when he asked Director Comey whether there has been any analysis of the effects of stockpiling of keys on cybersecurity, Director Comey wasn't able to answer.

Of course, regardless of who holds the key, creating a way to access data means creating a security flaw. Not only does it seem incredibly unlikely that industry would support a proposal that they “hold the keys,” we’d be left with the same problem—broken, unsafe products.

Throughout both hearings the ire of both law enforcement and Senators focused on one target: U.S. companies that create products the companies themselves can’t decrypt. Senator Waterhouse went so far as to propose that companies should be held liable for anything bad that happens because of their encryption. But strong encryption tools come from a variety of sources, including free and open-source software projects, as well as products developed by non-U.S. companies. The only major difference between these sources is the adoption rate; as Comey himself observed, default encryption on popular devices has created an inflection point. Whereas just a few years ago encryption was the realm of a tech-savvy few, now everyone has access to better security thanks to the sorts of changes Apple has made. So what would happen if we turned the clock back, as law enforcement is requesting?

The first thing to remember is that Congress can only impose mandates on U.S. companies. That means that we can only turn the clock back for commercial products developed or sold in the U.S. As Senator Blunt pointed out, this means that criminals or terrorists will just use encryption tools from elsewhere. We’d add that so will anyone concerned about privacy and security.

When asked about the availability of non-U.S. tools, Director Comey’s answer was that we would have to work with our allies to all come to the same rules regarding backdoors. But thanks to the Internet, all technology is global. It’s unlikely that every country that produces technology products is going to go along with this plan just to make the FBI’s life a little easier. What’s much more likely is that other countries will see the competitive advantage a U.S. mandate for backdoors gives their own companies—and U.S. companies will get hit even harder.

2. There’s No Hard Evidence That Law Enforcement is Actually “Going Dark”

In both hearings the witnesses representing law enforcement trotted out scary hypothetical situations and terrifying anecdotes about how encryption could stifle investigations and let “bad guys” go free. But when asked by Senators if they had any actual numbers on how often strong encryption thwarted investigations, neither Director Comey nor DAG Yates had any idea.

Both tried to duck the question by claiming that it was like “proving a negative.” But counting each time a law enforcement officer can’t access data because of encryption (or even just thinks they won’t be able to access data, without actually trying) doesn’t seem that difficult.1

The only actual number mentioned was from Manhattan District Attorney Vance, who said that his office had encountered locked iPhones 74 times. A spokesperson for his office told Wired that this was over 9 months, and that the office handles approximately 100,000 cases in the course of a year. This means the office encountered encryption in less than 0.1% of cases. That doesn’t sound like “going dark” is really a particularly pressing problem—especially since DA Vance didn’t bother toexplain how any of the 74 encrypted iPhones that his office encountered actually stood in the way of a successful prosecution.

For people whose jobs depend on the ability to present hard evidence to a judge in order to put “bad guys” away, you’d think Comey, Yates, and Vance would be able to come up with some better evidence that they’re actually “going dark.” Or maybe they think that when it comes to undermining everyone’s security, scare tactics—and not actual evidence—is sufficient?

1. Director Comey Wants the Impossible From Technologists

Multiple times during the hearings Director Comey admitted that he had no idea how to accomplish his goal of getting access to user data in actual practice, even going so far as to say “Don’t listen to me if I suggest a technical solution.” Instead, he insisted that he needs a way to get at encrypted data, and that he didn’t care what method companies used to provide that access. He also said (as he has before) that he doesn’t think providing that access will require a backdoor.

But saying that you want access to truly encrypted data without requiring a backdoor is like saying you want to travel to Mars without requiring the trip be via rocket. Sure, some ingenious person might invent a warp drive tomorrow that would allow you to do it—but nobody at NASA actually expects that to happen.

Similarly, no computer scientist or cybersecurity expert knows of a way to give Director Comey what he wants without weakening everyone’s security. They’ve told him that. They’ve been telling law enforcement that for nearly twenty years. But despite this, Director Comey testified today that he doesn’t think they’ve tried hard enough. He thinks that some genius in their garage in Silicon Valley might find a way to do it tomorrow. And Senator Mikulski said that she’s sure the patriots in Silicon Valley will step up to help their country.

It's possible the same people who invented the cryptography our technology relies on are wrong. And it's also possible that the standard model of physics is wrong and a different genius will invent a warp drive tomorrow, too. But we’re not going to hold our breath or stake our security on such a pipe dream.

1. Certainly, it would be a lot easier than trying to come up with a “securely” backdoored strong crypto system

Related Updates

Update (September 28, 2018): Reuters reports that the court has denied the government's request to force Facebook to assist with the wiretap. Late last week, Reuters reported that Facebook is being asked to “break the encryption” in its Messenger application to assist the Justice Department in wiretapping a...

In the public battle for strong encryption, EFF has championed the voice of everyday Internet users. After all, if we can’t rely on the security of our digital communications, how can the Web continue to grow and thrive?
Now the fight has moved to the Oval Office. EFF, Access Now...

Real Encryption Means Encryption Without Compromises. Updated 12/9/15
It’s a showdown over encryption, and we need your voice.
The Obama administration just responded to the 104,109 people who asked the president to stand up for strong encryption. The response—penned by Deputy U.S. Chief Technology Officer Ed Felten and Special...

Readers of these pages will be familiar with the debate going on between government officials and technologists around the world about law enforcement’s perceived need to access the content of any and all encrypted communications....

The FBI wants to ensure everyday people can't use strong encryption. For over nine months FBI Director James Comey has been pushing the FBI's twenty-year-old talking points about why he wants to reduce the security in your devices, rather than help you increase it. Director Comey will appear at...

Recently, FBI Director James B. Comey, along with several government officials, have issued many public statements regarding their inability to catch criminals due to Apple and Google offering default encryption to their consumers.We at EFF have been around long enough to see these nearly identical statements being made in...

FBI Director James Comey gave a speech yesterday reiterating the FBI's nearly twenty-year-old talking points about why it wants to reduce the security in your devices, rather than help you increase it. Here's EFF's response:
The FBI should not be in the business of trying to convince companies to...

Update 9/26/14: Recently Apple has announced that it is providing basic encryption on mobile devices that they cannot bypass, even in response to a request from law enforcement. Google has promised to take similar steps in the near future. Predictably, law enforcement has responded with howls of alarm.
...

Sunshine Week is often a time for transparency advocates to collectively lament about government secrecy and institutional resistance to accountability. But the week of advocacy is also an opportunity to highlight how, through patience and a lot of court motions, organizations such as EFF can pry important documents from agencies...